VerifyThisSeal.com
A Seal CodeA Professional
Getting Started Download Center Training Community User Documentation
Contact Pricing
About
Login

Secure by Design

VerifyThisSeal.com services are built to be secure-by-design, and we proactively aligning our controls and policies with the rigorous industry standards such as SOC 2, ISO 27001, and NIST 800.

Our Security Posture

Every aspect of our platform is built on a foundation of robust, multi-layered security controls. Below is a detailed overview of our technical implementation.

Identity & Access Control

Access to our systems and your data is governed by a strict, zero-trust framework designed to ensure only authorized actors can perform approved actions.

  • Multi-Factor Authentication (MFA): Every user account is protected by an Email-based One-Time Password (OTP) verification step upon login. For all internal staff, we enforce the use of FIDO2-compliant physical hardware security tokens for all critical systems.
  • Cryptographic Credential Storage: Passwords and recovery keys are never stored directly. We use the industry-standard bcrypt hashing algorithm with a computationally expensive work factor and a unique salt for every credential, preventing rainbow table and reverse-hash attacks.
  • Secure Server-Side Session Management: To mitigate session hijacking, user sessions are not stored client-side. We use connect-pg-simple to maintain session state securely within our encrypted PostgreSQL database, transmitted exclusively via secure-only cookies.
  • Principle of Least Privilege (IAM): Internal access is governed by a granular Role-Based Access Control (RBAC) system. Staff are granted only the minimum permissions necessary to perform their duties, managed via our checkPermission middleware.

Application & Data Security

Our application is architected to be resilient against modern web threats through secure coding practices, dependency management, and proactive defense mechanisms.

  • Cross-Site Scripting (XSS) Mitigation: All user-controllable content is treated as untrusted. Before rendering, it is processed through DOMPurify to neutralize the threat of malicious script injection and ensure content safety.
  • Cross-Site Request Forgery (CSRF) Defense: We use the lusca library to generate and validate unique, per-session anti-CSRF tokens for all state-changing routes, ensuring that all requests are legitimate and intentional.
  • Atomic Database Transactions: To ensure data integrity, all multi-step database operations are performed as atomic transactions (BEGIN, COMMIT). If any step fails, the entire operation is rolled back (ROLLBACK), preventing partial or corrupt data states.
  • Secure File Handling: File uploads are processed directly into memory buffers using multer.memoryStorage(). This avoids writing to the local filesystem, mitigating the risk of path traversal exploits and reducing the server's attack surface.

Encryption In-Depth

We employ a multi-layered encryption strategy to protect your data throughout its entire lifecycle.

  • Encryption in Transit: All data transmitted between your device and our platform is protected with strong, industry-standard TLS 1.2+ encryption, enforced across all services.
  • Encryption at Rest: Our production databases on Google Cloud SQL, and all associated storage volumes and backups, are fully encrypted at rest by default using AES-256 encryption.
  • Encrypted Credential Management: Application secrets, API keys, and database credentials are never stored in our source code. They are stored and encrypted within Google Secret Manager and accessed securely via IAM roles at runtime.
  • Endpoint Encryption: We enforce a policy of mandatory full-disk encryption (e.g., FileVault, BitLocker) on all company workstations, safeguarding data in the event of physical device loss.

Infrastructure & Network Security

Our platform is built on the secure, scalable, and resilient infrastructure of Google Cloud Platform (GCP).

  • Hardened Runtime Environment: Our application runs on Google Cloud Run, a managed serverless platform that abstracts and secures the underlying infrastructure, ensuring it is always patched and configured according to Google's best practices.
  • Layered Firewall & DDoS Protection: We utilize GCP's global network, Web Application Firewall (WAF), and advanced security services, including built-in DDoS mitigation, to protect against network-level attacks.
  • Intelligent Threat & Bot Detection: We employ Google reCAPTCHA Enterprise on sensitive forms and express-rate-limit on our API endpoints. This combination provides adaptive risk analysis to differentiate human users from credential stuffing, brute-force, and other automated attacks.
  • Geographic Redundancy: Our infrastructure is architected for redundancy, with services and data duplicated across multiple physical regions within the United States to ensure high availability and operational continuity.
  • Email Security: To protect against phishing and domain spoofing, we have implemented DMARC, DKIM, and SPF records for our sending domains.

Third-Party & Vendor Security

We extend our security standards to our partners, ensuring every part of our service chain is secure and compliant.

  • Zero PCI Scope Architecture: We partner with Stripe, a certified PCI DSS v4.0 Level 1 Service Provider. Your sensitive payment data is sent directly from your browser to Stripe's secure environment and never touches our servers, completely removing us from PCI scope.
  • Cryptographic Webhook Verification: We verify the cryptographic signature of every incoming webhook from our partners, like Stripe, to ensure its authenticity and integrity before any data is processed.
  • Strict Vendor Due Diligence: We only engage with third-party sub-processors that are SOC 2 compliant and undergo annual, independent penetration tests. We ensure our critical vendors adhere to global privacy frameworks like the Cross-Border Privacy Rules (CBPR) and Privacy Recognition for Processors (PRP).

Operational Security & Auditing

Security is an active, continuous process involving vigilant monitoring, structured response, and a culture of accountability.

  • Immutable Audit Trail: Every significant platform event is recorded in a detailed, actor-centric audit trail via our withAudit middleware. This log provides full traceability for security investigations and compliance reviews.
  • Formalized Change Management: All changes to our production environment follow a strict change control process, including peer review, automated testing, and logging, to ensure stability, security, and accountability.
  • Fail-Secure Design: Our application is designed to fail securely. Unhandled exceptions and promise rejections are caught at the process level, logged, and the application is terminated to prevent unknown states and potential data leakage.

Vulnerability & Patch Management

We are committed to the proactive identification and remediation of security vulnerabilities across our platform.

  • Continuous Vulnerability Scanning: Vulnerability scans are run on a daily basis to ensure that our applications and infrastructure are up to date.
  • Prioritized Remediation: Vulnerabilities detected by vulnerability scans, misconfigurations, configuration drift monitoring, penetration tests, or code reviews are patched and remediated based on their materiality.

Legal & Privacy

We believe transparency is a cornerstone of trust. Our legal policies are living documents, accessible to all users.

  • Version-Controlled Policies: Our Privacy Policy, Terms of Service, and Cookie Policy are maintained with version control. Current and historical versions are available on our site, ensuring you can always review the terms that apply to you.
  • Privacy Law Compliance: We prioritize your privacy and never sell or share your personal information for targeted advertising on our site, upholding your choices even as we use ad revenue to keep costs low. We are committed to robust compliance with US state privacy legislation (CPRA, CPA, CTDPA, DPDPA, FDBR [settings only], ICDPA, MCDPA, NHPA, NJDPA, OCPA, TDPSA, UCPA, VCDPA) and international law (GDRP).

Link Indicators

For your clarity and security awareness, we use distinct icons to indicate links that lead away from our site or initiate specific actions:

  • This external-link icon indicates a link to an external website, which will open in a new tab.
  • This envelope icon indicates an email link, which will open your default email client.

Responsible Disclosure

We value the contributions of the security research community and recognize the importance of a coordinated approach to vulnerability disclosure. If you have discovered a security vulnerability, we encourage you to let us know immediately. We welcome the opportunity to work with you to resolve the issue promptly.

Our program adheres to the following industry standards: